Hi List! Don't see much discussion about MAC here, time to change that! :-) Currently trying to set up a service jail, according to instructions in the handbook[1]. The problem I'm facing is that nullfs does not seem to support multilabeled filesystems, or am i missing something? ls -lZ /usr/js/testjail/var/run/test -rw-r--r-- 1 root wheel biba/equal 0 Feb 6 17:15 /usr/js/testjail/var/run/test Nullfs-mounting it inside the jail: ls -lZ /usr/j/testjail/s/var/run/test -rw-r--r-- 1 root wheel biba/high 0 Feb 6 17:15 /usr/j/testjail/s/var/run/test Currently, it looks like this: /usr/j/mroot on /usr/j/testjail (nullfs, local, nosuid, read-only) /usr/js/testjail on /usr/j/testjail/s (nullfs, local, nosuid) devfs on /usr/j/testjail/dev (devfs, local, multilabel) From inside the jail, (where this directory is mounted), the following maclabel appears to be the following instead: # ls -lZ /var/run/test -rw-r--r-- 1 root wheel biba/high 0 Feb 6 16:15 /var/run/test Does the list have any suggestions for workarounds? One alternative would be to create a jail without shared root filesystems and skip nullfs, but perhaps there are other tricks i am not aware of? BR Andreas [1]. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"